Attribute-based authenticated key exchange - QUT ePrints

QUT Digital Repository: http://eprints.qut.edu.au/

This is the accepted version of this conference paper. Published as: Gorantla, M. Choudary and Boyd, Colin and Gonzalez Nieto, Juan M. (2010) Attribute-based authenticated key exchange. In: Information Security and Privacy : Proceedings of the 15th Australasian Conference, ACISP 2010, 5-7 July 2010, Macquarie Graduate School of Management, Sydney.

© Copyright 2010 Springer. This is the author-version of the work. Conference proceedings published, by Springer Verlag, will be available via Lecture Notes in Computer Science http://www.springer.de/comp/lncs/

Attribute-based Authenticated Key Exchange? M. Choudary Gorantla, Colin Boyd, and Juan Manuel Gonz´alez Nieto Information Security Institute, Faculty of IT, Queensland University of Technology GPO Box 2434, Brisbane, QLD 4001, Australia. Email: [email protected], {c.boyd,j.gonzaleznieto}@qut.edu.au

Abstract. We introduce the concept of attribute-based authenticated key exchange (AB-AKE) within the framework of ciphertext policy attribute-based systems. A notion of AKE-security for AB-AKE is presented based on the security models for group key exchange protocols and also taking into account the security requirements generally considered in the ciphertext policy attribute-based setting. We also extend the paradigm of hybrid encryption to the ciphertext policy attribute-based encryption schemes. A new primitive called encapsulation policy attribute-based key encapsulation mechanism (EP-AB-KEM) is introduced and a notion of chosen ciphertext security is defined for EP-AB-KEMs. We propose an EP-AB-KEM from an existing attribute-based encryption scheme and show that it achieves chosen ciphertext security in the generic group and random oracle models. We present a generic one-round AB-AKE protocol that satisfies our AKE-security notion. The protocol is generically constructed from any EP-AB-KEM that satisfies chosen ciphertext security. Instantiating the generic AB-AKE protocol with our EP-AB-KEM will result in a concrete one-round AB-AKE protocol also secure in the generic group and random oracle models. Keywords. Attribute-based Key Exchange, Attribute-based KEM, Group Key Exchange

1

Introduction

In a distributed collaborative system, it is often convenient for the members to communicate with the others in the system using attributes that describe their roles or responsibilities. These attributes are highly desirable if the members join/leave the system dynamically. Consider an Internet forum where the members are organized into user groups based on the members’ skills or privileges. It is a natural requirement that the members of a user group should be able to establish secure communication with the other members belonging to particular user groups. The communication in these forums is generally carried out through initiating a thread or by posting messages within an existing thread. To enable authentic and confidential communication, the forum administrator may specify an access policy with the user groups being attributes. Obviously, only the members of the forum whose attributes (e.g. membership to user groups) satisfy the policy should be able to have read and/or write access to the thread. In the above scenario, the members do not necessarily have to know the identity of the other members with whom they want to communicate. In fact, the administrator may be requested not to disclose the identity of a member to the others for privacy reasons. Any member whose attributes satisfy the policy specified by the administrator should be able to participate in the communication. Note that the communication can naturally be among a group of more than two members, since the defined policy may be satisfied by attributes of more than two members. Hence, an authenticated group key exchange protocol that facilitates attributes usage can be employed in this setting. We call such a protocol, an attribute-based authenticated key exchange (AB-AKE) protocol. Once a session key among the willing participants has been established via the key exchange protocol, it can be used for establishing secure communication among the participants. ?

This work has been supported in part by the Australian Research Council through Discovery Project DP0666065.

We can further envisage applications for AB-AKE in interactive chat rooms and also in organizations with strict hierarchy like the military. In interactive chat rooms, each room may be associated with a policy defined with a set of interests being the attributes. Any member whose interests satisfy the policy of a chat room can have read and/or write access to it. Similarly, a policy over ranks (e.g., Sergeant, Lieutenant, Major, Colonel etc.) as attributes can be specified for the units in the military by another unit at a higher level in the hierarchy. All the units whose attributes satisfy the policy can establish secure communication among themselves through an AB-AKE protocol. Attribute-based Encryption. Sahai and Waters [29] introduced the concept of attribute based encryption (ABE) as an extension to ID-based encryption [7], in which a set of descriptive attributes is regarded as an identity. Goyal et al. [22] further extended the idea of ABE and introduced two variants: key policy attribute based encryption (KP-ABE) and ciphertext policy attribute based encryption (CP-ABE). In a KP-ABE system, the private key of a party is associated with an access policy defined over a set of attributes while the ciphertext is associated with a set of attributes. A ciphertext can be decrypted by a party if the attributes associated with the ciphertext satisfy the policy associated the user’s private key. A CP-ABE system can be seen as a complementary form to KP-ABE system, wherein the private key is associated with a set of attributes, while a policy defined over a set of attributes is attached to the ciphertext. A ciphertext can be decrypted by a party if the attributes associated with its private key satisfy the ciphertext’s policy. 1.1

Contributions

In this paper, we introduce the concept of AB-AKE. We assume that each member willing to participate in an AB-AKE protocol is issued a private key for a set of attributes that he/she possesses. Our modelling of AB-AKE follows the framework of CP-ABE in that the attributes are associated with the private keys. We assume that the members are given an access policy which their attributes have to satisfy for them to participate in the protocol. Alternatively, a common policy may be negotiated by the group members themselves. The protocol takes the access policy as input and computes messages for the other parties. Similar to the CP-ABE systems, we may assume that the policy is attached to the protocol messages in an AB-AKE protocol, although this assumption is not necessary since each member knows the policy at the outset of the protocol. A member whose attributes satisfy the given policy can compute the session key from the incoming messages and (if exists) its own contribution. While a complementary flavour of AB-AKE can be conceptualized based on KP-ABE systems, we do not explore this direction in this work. For the type of applications that we have discussed earlier, AB-AKE protocols based on CP-ABE systems suit well. AB-AKE can be seen as an extension of group key exchange (GKE) [11, 26, 25] with the additional expressiveness provided by the ciphertext-policy attribute-based systems. We define a notion of authenticated key exchange security (AKE-security) for AB-AKE by adapting a corresponding notion for GKE to the attributebased setting. The property of collusion resistance considered by attribute-based systems [22, 4, 32] is naturally embedded into our AKE-security notion. We then propose a generic one-round AB-AKE protocol that satisfies our AKE-security notion. The protocol is based on a type of attribute-based key encapsulation mechanism (KEM) that we call encapsulation policy attribute-based KEM (EP-AB-KEM). In an EP-AB-KEM, the attributes are associated to the private key of a party and access policy is attached to the encapsulation. We 2

define a notion of chosen ciphertext security for EP-AB-KEM based on a corresponding notion considered for CP-ABE schemes. Our AB-AKE protocol is generic in the sense that it can be instantiated using any EP-AB-KEM that satisfies chosen ciphertext security. We propose a chosen-ciphertext secure EP-AB-KEM based on the CP-ABE scheme of Bethencourt et al. [4] and using the generic technique of Boneh et al. [9]. While we apply the technique of Boneh et al. to the chosen plaintext secure EP-AB-KEM implicit in Bethencourt et al.’s scheme, we also make some non-trivial changes to adapt it to the attributebased setting. The proposed EP-AB-KEM is then proven secure in the generic group and random oracle models. Incidentally, we are the first to model and construct EP-AB-KEMs, which are of independent interest. Finally, an AB-AKE protocol satisfying our AKE-security provides implicit authentication that is similar to the corresponding notion considered for normal key exchange protocols. Particularly, our AKE-security notion ensures each protocol participant that no other party apart from parties who satisfy the given policy can possibly learn the value of the session key. Note that an EP-AB-KEM cannot achieve this property since it does not provide any sender authentication. Consequently, the receivers in EP-AB-KEM whose attributes satisfy the policy have no way of knowing whether the sender actually satisfies the same policy or not. For example, if we use an EP-AB-KEM in a user group, any one can post a message that is encrypted with the symmetric of the EP-AB-KEM. Alternatively, if the message is encrypted with a session key derived from an AB-AKE protocol the readers will get the assurance that only someone with valid attribute set has posted the message. Our generic construction of AB-AKE can be seen as an extension of the protocols of Boyd et al. [10] and Gorantla et al. [19] to the attribute-based setting. One disadvantage of our protocol is that it cannot provide forward secrecy. However, for some of the applications that we have discussed, forward secrecy may not be necessary. For example, in an Internet forum the administrator may like to moderate the content posted in the user groups or in the military a unit at a higher rank would like to monitor the communication among the units at the same or a lower rank. In such scenarios, an AB-AKE protocol without forward secrecy will be useful since any party with the right attribute set will be able to recover the session key and consequently the messages encrypted with it. Nevertheless, forward secrecy is generally a highly desirable property for key exchange protocols. Hence, we also sketch constructions of AB-AKE protocols that can achieve forward secrecy. 1.2

Related Work

The concept of fuzzy secret handshake proposed by Ateniese et al. [1] seems closely related to our modelling of AB-AKE. However, there are a few important differences: In AB-AKE, we allow policies specified by the members to be very expressive consisting of several threshold gates, while fuzzy secret handshake only considers a single threshold gate. In a (fuzzy) secret handshake protocol, if a member do not satisfy the attributes specified by another member, the attributes of none of the members can be learned by the other member. On the other hand, in an AB-AKE protocol, if a member does not satisfy the policy specified by the other members, the members do not know anything about the attributes of the other members except what can be inferred by the policies attached to the protocol messages. Although both the properties look similar, we emphasize that an AB-AKE protocol would not hide the affiliation of the members even if the protocol was not successful [23]. Note that the property of “affiliation hiding” is the main requirement for (fuzzy) 3

secret handshakes. Finally, the fuzzy secret handshake protocol of Ateniese et al. considers only two party setting, while our protocol naturally operates in a group setting. In independent work, Steinwandt and Corona [31] proposed a two-round attribute-based group key exchange protocol that achieves forward secrecy. Their protocol uses the GKE protocol of Bohli et al. [6] as the base protocol and replaces the public key signature scheme in Bohli et al. with an attribute-based signcryption scheme to authenticate the protocol messages. Recently, Birkett and Stebila [5] introduced the concept of predicate-based key exchange which encompasses key policy attribute-based key exchange. However, their security model considers key exchange between only two parties. 1.3

Organization

Section 2 presents a security model for EP-AB-KEM and also proposes a chosen ciphertext secure EP-AB-KEM. We first define a security model for AB-AKE in Section 3 and then present a generic one round AB-AKE protocol based on EP-AB-KEM. In Appendix 5, we outline how to construct AB-AKE protocols with forward secrecy. Appendices A, B and C contain preliminaries, proof of the proposed EP-AB-KEM and proof of the generic AB-AKE protocol respectively. We describe the hybrid CP-ABE construction and prove its security in Appendix D.

2

Encapsulation Policy Attribute-based KEM

We first give a formal definition of security for EP-AB-KEM. As in the earlier attribute-based systems [22, 4], we review the definition of an access structure and use it in the security model. Later, we present a concrete EP-AB-KEM based on the CP-ABE scheme of Bethencourt et al. [4]. Definition 1 (Access Structure [2]). Let {U1 , · · · , Un } be a set of parties. A collection A ⊆ 2{U1 ,··· ,Un } is monotone if ∀B, C : if B ∈ A and B ⊆ C then C ∈ A. An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) A of non-empty subsets of {U1 , · · · , Un }, i.e., A ⊆ 2{U1 ,··· ,Un } \ {φ}. The sets in A are called authorized sets, and the sets not in A are called the unauthorized sets. In our EP-AB-KEM and later in the protocol, each party is assumed to possess a set of attributes. A policy over a set of attributes is specified through an access structure A. Hence, A contains the authorized sets of attributes i.e., A ⊆ 2{S1 ,··· ,Sn } \ {φ} for a given set of attributes {S1 , · · · , Sn }. As in the CP-ABE of Bethencourt et al., we consider only monotonic access structures. In the rest of the paper, by an access structure we mean a monotonic one. A EP-AB-KEM consists of five polynomial-time algorithms: Setup: takes the security parameter k and the attribute universe description U as inputs. The public parameters PK and the master key MK are the outputs. Encapsulation: takes as input the public parameters PK and an access structure A over the attribute universe U. It outputs an encapsulation C and a symmetric key K such that only a user with attributes satisfying A can recover K from C. Similar to the CP-ABE schemes, we assume that the encapsulation implicitly contains A. KeyGen: takes as input the master key MK , the public parameters PK and a set of attributes S of a user that give a description of the user’s private key. The output is the user’s private key SK . 4

Decapsulation: takes as input the public parameters PK , an encapsulation C which contains an access structure A and a private key SK corresponding to a set of attributes S. The algorithm outputs either a symmetric key K or ⊥. We also define an optional delegation algorithm, which allows a user with attribute sets S and a corresponding secret key SK to derive a secret key for another set of attributes S˜ such that S˜ ⊆ S. Delegate: takes as input the public parameters PK , a secret key SK corresponding to a set of ˜ for the attribute set S. ˜ attributes S and a set S˜ ⊆ S. It outputs a secret key SK For an EP-AB-KEM to be considered valid, it is required that for any key SK corresponding to an attribute set S, if S satisfies A and if (K, C) ← Encapsulation(PK , A), then Decapsulation(PK , C, SK ) = K. 2.1

Security Model

Bethencourt et al. [4] defined a notion of indistinguishability under chosen plaintext attack (INDCPA) for CP-ABE schemes. In this section, we adapt their notion and extend it to define a notion of indistinguishability under chosen ciphertext attacks (IND-CCA) for EP-AB-KEM. The security notion is formally defined as follows. Definition 2. An EP-AB-KEM is IND-CCA secure if the advantage of any probabilistic polynomial time adversary Acca in the following game is negligible in the security parameter k. Setup: The challenger runs the Setup algorithm and returns PK to Acca . Phase 1: Acca issues Extract and Decap queries as follows: Extract: This query can be issued multiple times with sets of attributes S1 , · · · , Sq1 as input. The challenger returns a private key corresponding to each input attribute set. We do not require the input attribute sets to be distinct. Decap: This query is issued with an encapsulation C and an attribute set S as inputs. Note that C implicitly contains an access structure A defined over the attribute universe U. The challenger executes the Decapsulation algorithm on C using a private key corresponding to S and returns the output of Decapsulation to Acca . Challenge: At the end of Phase 1, Acca gives an access structure A∗ defined over U to the challenger. The challenger first chooses a bit b. It then runs the Encapsulation algorithm with A∗ as input and generates a symmetric key–encapsulation pair (K1 , C ∗ ). It then sets K0 to be a random key drawn from the probability distribution of the symmetric key. The tuple (Kb , C ∗ ) is returned to Acca as the challenge. A trivial restriction on the adversary’s choice of A∗ is that none of the attributes sets S1 , · · · , Sq1 passed as input to Extract queries in Phase 1 should satisfy A∗ . Phase 2: Acca is allowed to execute in the same way as in Phase 1 with the following restrictions: (1) none of the attribute sets Sq1 +1 , · · · , Sq passed as input to Extract queries in Phase 2 satisfy A∗ and (2) a Decap query with C ∗ as input in combination with an attribute set S ∗ that satisfies A∗ is not allowed. Guess: The goal of Acca is to guess whether the key Kb is encapsulated within C ∗ or not. Acca finally outputs a guess bit b0 . It wins the game if b0 = b. The advantage of Acca is given as AdvAcca = |2 · Pr[b0 = b] − 1|. 5

Existing security notions for CP-ABE schemes also consider the weaker selective model where declares the challenge access structure A∗ before the Setup phase. Similarly, a corresponding model for EP-AB-KEMs can be defined. Similar to earlier CP-ABE schemes [4, 13, 32], we have not explicitly modelled the delegation mechanism in the security model for EP-AB-KEMs. However, we require that for a given set of attributes, a secret key output by the Delegate algorithm will have identical distribution to the one output by the KeyGen algorithm. In particular, the Decapsulation algorithm using a private key SK should work in the same way irrespective of SK being an output of KeyGen or Delegate. Our security model for EP-AB-KEMs suffices in the presence of an adversary who may obtain delegated private keys since such queries can be simulated using Extract queries. Acca

Remark 1. In Definition 2, Acca is allowed to issue multiple Extract queries with attribute sets as input such that none of the individual sets Si satisfy the challenge access structure A∗ . Hence, similar to earlier definitions of attribute-based encryption schemes, our definition also takes care of collusion resistance. An EP-AB-KEM satisfying the above definition ensures that from the private keys of Si ’s, Acca cannot construct a private key corresponding to another attribute set S ∗ such that S ∗ satisfies A∗ . Hybrid CP-ABE. An EP-AB-KEM satisfying the above IND-CCA security notion can be combined with any IND-CCA secure data encapsulation mechanism to construct an IND-CCA secure CP-ABE scheme [14, 15]. We describe the hybrid construction and prove its security in Appendix D. 2.2

A Chosen Ciphertext Secure EP-AB-KEM

Bethencourt et al. [4] first proposed a construction of a CP-ABE scheme. Their scheme was shown IND-CPA secure assuming generic group and random oracle models. Later, many CP-ABE schemes [21, 13, 32] have been proposed and shown IND-CPA secure without assuming generic group or random oracle models, but analyzed only in the selective model of security. Recently, Lewko et al. [27] proposed a fully secure CP-ABE scheme in the standard model using composite order bilinear groups. We now construct an IND-CCA secure EP-AB-KEM based on the CP-ABE scheme of Bethencourt et al.. The idea is to enhance the security of the IND-CPA secure EP-AB-KEM that is implicit in Bethencourt et al.’s CP-ABE scheme. For this purpose, the techniques of Fujisaki and Okamoto [18, 17] and Canetti et al. (CHK) [12] can be applied in the random oracle and standard models respectively. As remarked by Bethencourt et al., IND-CCA security for CP-ABE (and correspondingly for EP-AB-KEM) schemes can be achieved by a straightforward application of the Fujisaki-Okamoto technique. Bethencourt et al. also suggested that the delegation mechanism of their CP-ABE scheme can be leveraged to achieve IND-CCA security using the CHK transform. However, we observe that applying the CHK transform to CP-ABE schemes (similarly to EP-AB-KEMs) is slightly more involved. Specifically, contrary to the approach followed by KP-ABE schemes, IND-CCA security for CP-ABE schemes cannot be achieved by directly leveraging the delegation mechanism. We later discuss why this is so and then present an IND-CCA secure EP-AB-KEM by making a few changes to the Setup and Encapsulation algorithms derived from Bethencourt et al.’s CP-ABE scheme. Although the CHK technique can be used to achieve IND-CCA security in the standard 6

model, our EP-AB-KEM will only be secure assuming generic groups and random oracles since the base CP-ABE scheme also assumes the same. Finally, we choose the scheme of Bethencourt et al. because it is secure in the fully adaptive model (i.e., non-selective model). In Remark 3, we discuss the necessity of an EP-AB-KEM to be secure in the adaptive model for constructing AB-AKE protocols. The IND-CCA secure scheme first generates a one-time key pair (sk , vk ) for a signature scheme with the condition that the verification key is of the same length as the length of an attribute in the attribute universe U. Let A be the access structure given as input to the EP-AB-KEM. We now construct a more restrictive access structure A0 = A AND vk and execute the CPA-secure EP-AB-KEM under A0 . The resulting encapsulation is then signed using the one-time signing key sk . The encapsulation of the CCA-secure EP-AB-KEM contains the encapsulation generated by the underlying CPA-secure EP-AB-KEM, the signature generated on it and the verification key vk . The recipient first checks the signature using vk and then executes the CPA-secure KEM’s decapsulation algorithm under A0 to extract the symmetric key. While the above informal description of our construction directly follows the CHK technique, the tricky part in the context of EP-AB-KEM (or CP-ABE) is to empower the recipient with a private key corresponding to the attributes that satisfy the modified access structure A0 . The recipient may already possess attributes that satisfy A. However, since the verification key vk is one-time and chosen randomly for each execution of EP-AB-KEM, the recipient cannot be issued with a private key that can decrypt messages encrypted under A0 = A AND vk . This problem cannot be addressed by the delegation mechanism in an EP-AB-KEM (or CP-ABE) scheme since it can be used to derive private key corresponding to an attribute set S 0 from the one corresponding to S only if S 0 ⊆ S. But, we have an additional attribute in the form of vk . Note that this is not a problem in the KP-ABE system since it naturally allows a party with a private key corresponding to an access structure A to derive private keys corresponding to access structures that are more restrictive than A. To address the above problem, we make modifications to the Setup and Encapsulation algorithms derived from the CP-ABE scheme of Bethencourt et al. [4]. Our EP-AB-KEM now enables a recipient with private key for attributes that satisfy A to decapsulate an encapsulation created under A0 , irrespective of the choice of vk by the sender. As in the CP-ABE scheme of Bethencourt et al., an access structure A is represented in the form of an access tree T . Access Tree. Let T be a tree representing an access structure. Each interior node of T represents a threshold gate, while each leaf node is described by an attribute. Let numx be the number of children of a node x and let kx be its threshold value. We have 0 ≤ kx ≤ numx . A threshold gate associated to an internal node with threshold value kx outputs true if at least kx of its children output true. If the threshold gate represented by an interior node is an AND gate then kx = numx and if the gate is OR, kx = 1. The threshold value for each leaf node x is defined to be kx = 1. The parent of a node x in the tree T is denoted by the function parent(x), while the attribute of a leaf node x is denoted by att(x). The children of each interior node are numbered from 1 to numx . The function index(x) returns such a number associated with a node x. We assume that the index values are uniquely assigned in an arbitrary manner for a given access structure. Satisfying an access tree. Let r be the root of an access tree T . The subtree of T rooted at a node x is denoted by T x . If a set of attributes γ satisfy the access tree T x , it is denoted as Tx (γ) = 1. The function Tx (γ) is computed recursively as follows: If x is an interior node, for each 7

children x0 of x, Tx0 (γ) is evaluated. Tx (γ) returns 1 if and only if at least kx children of x return 1. If x is a leaf node, Tx (γ) returns 1 if and only if att(x) ∈ γ. Let G0 and G1 be two multiplicative groups of prime order p and g be an arbitrary generator of G0 . Let e : G0 × G0 → G1 be an admissible bilinear map as defined in Section A.1. The Lagrange’s coefficient ∆i,S for i ∈ Zp and a set S of elements in Zp is defined as: ∆i,S = Πj∈S,j6=i x−j i−j . Setup(k). It chooses the groups G0 , G1 and defines a bilinear map e : G0 × G0 → G1 . It also selects α, β1 , β2 ∈ Zp such that β1 6= β2 , β1 6= 0 and β2 6= 0. The public key is   PK = G0 , G1 , e, g, h1 = g β1 , f1 = g 1/β1 , h2 = g β2 , f2 = g 1/β2 , e(g, g)α . The master key MK is (β1 , β2 , g α ). Encapsulation(PK , T ). This algorithm generates an encapsulation and a symmetric key under the access tree T using the public key PK . It first executes the KeyGen algorithm of the signature scheme (ref. Section A.2) and obtains a one-time key pair (sk , vk ). Let A be the access structure represented by T . The algorithm now constructs a new access tree T 0 for the access structure (A AND vk ) as follows: Let R be the root node of T . The root node R0 of the new tree T 0 is set as the AND gate with T as its subtree and the verification key vk as a leaf node attached to R0 . The algorithm now generates a polynomial qx for each node x in the tree T 0 in a top-down approach as follows: Starting from the root node R0 , for each node x in the tree set the degree dx of the polynomial associated with x to be kx − 1 i.e., the degree of the polynomial is one less than the threshold value associated with the node x. The algorithm starts from the root node and first chooses a random s ∈ Zp . Then it chooses dR0 other points randomly to define the polynomial q(R0 ). For any node x other than the root, it sets qx (0) = qparent(x) (index(x)) and chooses dx other points randomly to define the polynomial q(x). Let Y be the set of leaf nodes in the subtree T rooted at R. The only other leaf node in the tree T 0 is the one that describes the verification key vk . The algorithm proceeds as follows: 1. K = e(g, g)αs . 2. C1 = hs1 . 3. ∀y ∈ Y : Cy = g qy (0) , Cy0 = H(att(y))qy (0) . q (0)

0 = H(vk )qvk (0) . 4. Cvk = h2vk , Cvk 0 ), ∀y ∈ Y . Compute a signature σ = Sig (C). 5. Let C = (T 0 , C1 , Cy , Cy0 , Cvk , Cvk sk

The final encapsulation C = (C, vk , σ). KeyGen(MK ,PK , S). It chooses r, rvk ∈ Zp and rj ∈ Zp for each j ∈ S. The private key is computed as: SK = (D = g (α+r)/β1 , E = g r/β2 , ∀j ∈ S : Dj = g r · H(j)rj , Dj0 = g rj ). ˜ It takes as input a secret key SK corresponding to a set of attributes S and Delegate(SK , PK , S). ˜ another set S ⊆ S. The key SK is of the form SK = (D, E, ∀j ∈ S : Dj , Dj0 ). The algorithm ˜ The new key for S˜ is generated as: chooses r˜ and r˜k ∀k ∈ S. ˜ = Ef2r˜, ∀k ∈ S˜ : D ˜ k = Dk g r˜H(k)r˜k , D ˜ 0 = D0 g r˜k ). ˜ = (D ˜ = Df1r˜, E SK k k 8

Decapsulation(SK , PK , C). Upon receiving an encapsulation C, the decryptor first parses the access tree T 0 . It then extracts the subtree T rooted at R from T 0 . Note that this can be easily done since the node that describes the verification key as an attribute can be identified with the help of the verification key vk sent in the encapsulation. The algorithm first verifies the signature σ on C using the verification key vk . If the verification succeeds, it proceeds as follows:

Fvk =

e(Cvk , H(vk ) · g r/β2 ) e(Cvk , g r/β2 ) · e(Cvk , H(vk )) = 0 ,h ) 0 ,h ) e(Cvk e(Cvk 2 2 q (0)

=

(1)

q (0)

, g r/β2 ) · e(h2vk , H(vk )) e(H(vk )qvk (0) , h2 )

e(h2vk

= e(g β2 ·qvk (0) , g r/β2 ) = e(g, g)rqvk (0) . A recursive algorithm DecryptNode(C, SK , x) that takes as input C, a private key SK associated with a set of attributes S and a node x from the subtree T is then executed as below: If x is a leaf node, then let i = att(x). If i ∈ / S, then DecryptNode(C, SK , x) = ⊥. Otherwise it is defined as follows: e(Di ,Cx ) e(g r ·H(i)ri ,g qx (0) ) DecryptNode(C, SK , x) = e(D = e(g, g)rqx (0) . 0 ,C 0 ) = e(g ri ,H(i)qx (0) ) i x If x is an interior node then DecryptNode(C, SK , x) proceeds as follows: For all nodes z that are children of x, the algorithm DecryptNode(C, sk , z) is called. The output is stored as Fz . Let Sx be an arbitrary kx -sized set of child nodes z such that Fz 6= ⊥. If no such set exists, the function returns ⊥. Otherwise, the decapsulation algorithm proceeds as follows:

Fx =

Y

∆i,S 0 (0)

Fz

x

, where i = index(z), Sx0 = {index(z) : z ∈ Sx }

z∈Sx

=

Y

(e(g, g)r·qz (0) )

∆i,S 0 (0) x

z∈Sx

=

Y

∆i,S 0 (0)

(e(g, g)r·qparent(z) (index(z)) )

x

z∈Sx

=

Y

r·qx (i)·∆i,S 0 (0)

(e(g, g)

x

z∈Sx

= (e(g, g)r·qx (0) . Finally, the decapsulation algorithm calls the DecryptNode algorithm on the node R, which is the root of the subtree T . If T is satisfied by the attribute set S, then we have FR = DecryptNode(C, SK , R) = e(g, g)r·qR (0) . We now compute FR0 from Fvk and FR using polynomial interpolation as follows:

FR0 =

Y

∆index(x),{R,vk }

Fx

x∈{R,vk }

= e(g, g)r·qR0 (0) = e(g, g)rs . 9

Let A = e(g, g)rs . The symmetric key is recovered as e(C1 , D) e(hs1 , g (α+r)β1 ) e(g, g)s(α+r) = = = e(g, g)αs = K. A e(g, g)rs e(g, g)rs

(2)

Note that in Equation 1, we implicitly verify that the one-time verification key has not been replaced. If vk was replaced the symmetric key computed in Equation 2 would be ⊥. Alternatively, the verification check can be done explicitly at the cost of an additional pairing operation. In Appendix B, we show that the proposed EP-AB-KEM is IND-CCA secure in the generic group and random oracle models.

3

Attribute-based Authenticated Key Exchange

An AB-AKE protocol consists of three polynomial-time algorithms: Setup, KeyGen and KeyExchange. The Setup and KeyGen algorithms are identical to those defined for EP-AB-KEM in Section 2. Each party in the AB-AKE protocol executes the KeyExchange algorithm which initially takes as input the master public key PK , an access structure A and a private key for a set of attributes S. If S satisfies A, KeyExchange proceeds as per specification and may generate outgoing messages and also accept incoming messages from other parties as inputs. The output of KeyExchange is either a session key κ or ⊥. Communication Model. Let U= {U1 , · · · , Un } be a set of n users. The protocol may be executed ˜ ⊆ U of size n among any subset U ˜ ≥ 2. We assume that each user has a set of descriptive attributes. Let SK i be the private key corresponding to an attribute set Si of user Ui . We assume that an access structure A is given as input to all the users. Note that this A may be specified by a higher level protocol. Alternatively, the users can run an interactive protocol to negotiate a common access structure A. We also assume that all the users execute the protocol honestly. If a user Ui wants to establish a session key with respect to an access structure A, it first checks whether its attribute set Si satisfies A or not i.e., checks if Si ∈ A. Ui proceeds with the protocol execution only if Si satisfies A. Thus, any user Uj with attribute set Sj that satisfies A is a potential participant in the key exchange protocol. The set of parties whose individual attributes satisfy A can compute a common session key. An AB-AKE protocol π executed among n ˜ ≤ n users is modelled as a collection of n ˜ programs running at the n ˜ parties. Each instance of π within a party is defined as a session and each party may have multiple such sessions running concurrently. Let πij be the j-th run of the protocol π at ˜ Each protocol instance at a party is identified by a unique session ID. We assume party Ui ∈ U. that the session ID is derived during the run of the protocol. The session ID of an instance πij is denoted by sidji . An instance πij enters an accepted state when it computes a session key sk ji . Note that an instance may terminate without ever entering into an accepted state. The information of whether an instance has terminated with acceptance or without acceptance is assumed to be public. Note that there may be more than one party whose attributes satisfy A, hence we consider a group setting for AB-AKE. We define partnership in AB-AKE protocol as follows: A set of n ˜ instances at n ˜ different parties U˜ ⊆ U are called partners if 1. they all have the same session ID; and 10

2. the attributes of each Ui ∈ U˜ satisfy A. An AB-AKE protocol is called correct if the instances at the parties in U˜ are partnered and output identical session keys in the presence of a passive adversary. Adversarial Model. The communication network is assumed to be fully controlled by the adversary, which schedules and mediates the sessions among all the parties. The adversary is allowed to insert, delete or modify the protocol messages. We also assume that it is the adversary that may select the protocol participants from the set U. While the adversary may not know the attribute set that a user possesses, it can initiate an instance of the AB-AKE protocol with an access structure of its choice. In addition to controlling the message transmission, the adversary is allowed to ask the following queries. – Send(πij ,m) sends a message m to the instance πij . If the message is A, the instance πij is initiated with the access structure A. Otherwise, the message is processed as per the protocol specification. The response of πij to any Send query is returned to the adversary. – RevealKey(πij ) If πij has accepted, the adversary is given the session key sk ji established at πij . – Corrupt(Si ) This query returns a private key SK i corresponding to the attribute set Si . – Test(πij ) A random bit b is secretly chosen. If b = 1, the adversary is given sk ji established at πij . Otherwise, a random value chosen from the session key probability distribution is given. Note that a Test query is allowed only on an accepted instance. Definition 3 (Freshness). Let A be the access structure for an instance πij . πij is called fresh if the following the conditions hold: (1) the instance πij or any of its partners has not been asked a RevealKey query and (2) there has not been a Corrupt query on an input Si such that Si satisfies A. Definition 4 (AKE-security). An adversary Aake against the AKE-security notion is allowed to make Send, RevealKey and Corrupt queries in Stage 1. Aake makes a Test query to an instance πij at the end of Stage 1 and is given a challenge key Kb as described above. It can continue asking queries in Stage 2. Finally, Aake outputs a bit b0 and wins the AKE-security game if (1) b0 = b and (2) the Test instance πij remains fresh till the end of Aake ’s execution. Let SuccAake be the event that Aake wins the AKE-security game. The advantage of Aake in winning this game is AdvAake = |2·Pr[SuccAake ]−1|. A protocol is called AKE-secure if AdvAake is negligible in the security parameter k for any polynomial time Aake . Remark 2. By allowing the adversary to reveal the private keys corresponding to attribute sets which individually do not satisfy the given access structure A∗ in the test session, our definition naturally considers collusion resistance. In other words, any number of parties whose individual attribute sets do not satisfy A∗ may collude among themselves and try to violate the AKE-security of the protocol. An AB-AKE protocol satisfying our AKE-security notion will still remain secure against such collusion attacks.

4

A Generic One-round AB-AKE Protocol

We now present a simple generic AB-AKE protocol based on IND-CCA secure EP-AB-KEM. Informally, each party executes an EP-AB-KEM in parallel and combines the symmetric key it has 11

Computation Each Ui executes an EP-AB-KEM on the input (PK , T ) where PK is the master public key and T is the access tree that represents an access structure A. As a result, a symmetric key and encapsulation pair (Ki , Ci ) is obtained. (Ki , Ci ) ← Encapsulation(PK , T ). Broadcast Each Ui broadcasts the generated encapsulation Ci . Ui → ∗ : Ci . Key Computation 1. Each Ui executes the decapsulation algorithm using its private key SK i on each of the incoming encapsulations Cj and obtains the symmetric keys Kj , for j 6= i. Kj ← Decapsulation(sk i , Cj ) for each j 6= i. 2. Each Ui then computes the session ID as the concatenation of all the outgoing and incoming messages exchanged i.e. sid = (C1 k · · · kCn˜ ), where n ˜ is the number of protocol participants. 3. The session key κ is then computed as κ = fK1 (sid) ⊕ fK2 (sid) ⊕ · · · ⊕ fKn˜ (sid) where f is a pseudorandom function.

Fig. 1. A Generic One-round AB-AKE Protocol

generated with the symmetric keys extracted from the incoming messages to establish a common session key. Our construction is an extension of the one-round protocols of Boyd et al. [10] and Gorantla et al. [19] to the attribute-based setting. Figure 1 presents our generic one-round AB-AKE protocol. At the beginning of the protocol each party is given an access structure A represented via an access tree T . The protocol uses an EP-AB-KEM scheme (Setup, Encapsulation, KeyGen, Decapsulation). Each Ui is issued a private key SK i corresponding to the attributes set Si that it possesses. Each party Ui who has attribute set Si satisfying the access structure A runs the Encapsulation algorithm and obtains a symmetric key-encapsulation pair (Ki , Ci ). The parties broadcast the encapsulations to the other parties. Upon receiving the encapsulations, each party runs the Decapsulation algorithm using the its private key on each of the incoming encapsulations and extracts the symmetric keys. The number of protocol participants n ˜ can be derived based on the number of input messages received within a prescribed time period. The session key is finally computed by each party from the symmetric key that it has generated and all the symmetric keys decapsulated from the incoming encapsulations. A pseudo-random function f is applied to derive the session key. We assume that the symmetric key output by the Decapsulation algorithm can be directly used as a seed for f . Otherwise, we will have to extract and then expand the randomness from the output of the Decapsulation algorithm as done by Boyd et al. [10]. Theorem 1. The AB-AKE protocol in Fig. 1 is AKE-secure as per Definition 4 assuming that the underlying EP-AB-KEM is IND-CCA secure. The advantage of Aake is 12

˜· AdvAake ≤ n

qs2 + qs · (˜ n · AdvAprf + AdvAcca ) |C|

where n ˜ is the number of parties in the protocol, qs is the number of sessions Aake is allowed to activate, |C| is the size of the ciphertext space, AdvAcca is the advantage of a polynomial adversary Acca against the IND-CCA security of the underlying EP-AB-KEM and AdvAprf is the advantage of a polynomial adversary Aprf against the pseudorandomness of the pseudorandom function f . The proof of the above theorem is given in Appendix C. Concrete Instantiation. From the EP-AB-KEM proposed in Section 2.2, a concrete AB-AKE protocol can be directly realized. It follows from the security of the EP-AB-KEM and the generic AB-AKE protocol that the instantiated protocol is AKE-secure in the generic group and the random oracle models.

5

Extensions

The security model in Section 3 is concerned only about the basic notion of AKE-security without forward secrecy. Forward secrecy is one of the most important security properties for key exchange protocols since it limits the damage of long-term key exposure. A key exchange protocol with forward secrecy ensures that even if the long-term key of a party is exposed, all the past session keys established using that long-term key will remain uncompromised. Forward secrecy seems to be more important in the case of AB-AKE protocols than in the case of normal public key based key exchange protocols. To see why, let us assume that the adversary obtains the private key of a user Ui who possesses a set of attributes Si . If an AB-AKE protocol does not achieve forward secrecy, then the adversary can compromise all the protocol sessions which have been established with access structures that can be satisfied by Si . Note that the party Ui does not even have to participate in any of these sessions. We now define a notion of freshness that takes forward secrecy into account. 5.1

AKE-security with Forward Secrecy

Definition 5 (FS-Freshness). Let A be the access structure for an instance πij . πij is called fs-fresh if the following the conditions hold: (1) the instance πij or any of its partners has not been asked a RevealKey query and (2) there has not been a Corrupt query on an input Si before πij or its partner instances have terminated, such that Si satisfies A. Definition 5 can be coupled with the AKE-security notion in Definition 4 to arrive at AKEsecurity notion with forward secrecy for AB-AKE protocols. 5.2

Constructing AB-AKE Protocols with Forward Secrecy

Our one-round AB-AKE protocol can be modified to achieve AKE-security with forward secrecy for two-party and three-party settings using known techniques. For a two-party AB-AKE protocol with forward secrecy, one can use the technique of Boyd et al. [10] where ephemeral Diffie-Hellman public keys are appended with the encapsulations. Similarly, for a three-party AB-AKE protocol 13

with forward secrecy, the protocol of Joux [24] can be executed in the same round with our EPAB-KEM based protocol. The session keys in both the protocols will include the ephemeral DiffieHellman key components which ensure forward secrecy. However, the protocols will achieve weak forward secrecy, wherein the adversary has to remain passive during protocol execution. The security of the resulting two-party and three-party AB-AKE protocols will depend on the hardness of the computational Diffie-Hellman and bilinear Diffie-Hellman problems respectively along with the security of the underlying AB-AKE protocol (the security of the latter has been proven already). Constructing AB-AKE protocols in the more general group setting needs more than one round. The compiler of Katz and Yung (KY) [26] turns an unauthenticated group key exchange protocol into an authenticated one. The compiler uses a public key based signature as an “authenticator” for this purpose. One may adapt the KY compiler to the attribute-based setting by replacing the normal public key based signature with an attribute-based signature [28]. The resulting compiler can then be applied to the two-round unauthenticated Burmester and Desmedt (BD) protocol [11] to achieve a three-round AB-AKE protocol with forward secrecy. Since the session key established by the BD protocol is ephemeral it achieves forward secrecy, whereas the attribute-based KY compiler provides authentication. Although the attribute-based version of the KY compiler can be constructed with necessary changes to the KY compiler, it may not be straightforward. We leave this construction for future work.

6

Conclusion

We have initiated the concept of AB-AKE in the ciphertext-policy attribute-based system. Our modelling of AB-AKE assumes that each party has a set of attributes and a corresponding private key. A policy is defined (or negotiated) for each execution of the protocol and the parties satisfying the policy can establish a common shared key by executing the protocol. In the security model for AB-AKE, we have considered only outsider adversaries. Our security model can be extended by considering insider attackers who try to impersonate other protocol participants [25]. We have also introduced the concept of EP-AB-KEM. We then proposed a one-round generic AB-AKE protocol based on IND-CCA secure EP-AB-KEMs. For concrete instantiation of this protocol, we have presented an EP-AB-KEM and shown it secure under the IND-CCA notion in the generic group and random oracle models. As a consequence, a concrete AB-AKE protocol based on this EP-AB-KEM would also be secure in the generic group and random oracle models.

References 1. Giuseppe Ateniese, Jonathan Kirsch, and Marina Blanton. Secret Handshakes with Dynamic and Fuzzy Matching. In Proceedings of the Network and Distributed System Security Symposium–NDSS’07. The Internet Society, 2007. 2. Amos Beimel. Secure Schemes for Secret Sharing and Key Distribution. PhD thesis, Israel Institute of Technology, Technion, Haifa, Israel, 1996. 3. Kamel Bentahar, Pooya Farshim, John Malone-Lee, and Nigel P. Smart. Generic constructions of identity-based and certificateless kems. J. Cryptology, 21(2):178–199, 2008. 4. John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-Policy Attribute-Based Encryption. In IEEE Symposium on Security and Privacy, pages 321–334. IEEE Computer Society, 2007. 5. James Birkett and Douglas Stebila. Predicate-Based Key Exchange. Cryptology ePrint Archive, Report 2010/082, 2010. To appear at ACISP 2010. Available at http://eprint.iacr.org/2010/082. 6. Jens-Matthias Bohli, Maria Isabel Gonzalez Vasco, and Rainer Steinwandt. Secure group key establishment revisited. Int. J. Inf. Sec., 6(4):243–254, 2007.

14

7. D. Boneh and M.K. Franklin. Identity-Based Encryption from the Weil Pairing. In Advances in Cryptology– CRYPTO’01, volume 2139 of LNCS, pages 213–229. Springer, 2001. 8. Dan Boneh, Xavier Boyen, and Eu-Jin Goh. Hierarchical Identity Based Encryption with Constant Size Ciphertext. In Advances in Cryptology–EUROCRYPT 2005, volume 3494 of LNCS, pages 440–456. Springer, 2005. 9. Dan Boneh, Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-Ciphertext Security from Identity-Based Encryption. SIAM J. Comput., 36(5):1301–1328, 2007. 10. Colin Boyd, Yvonne Cliff, Juan Manuel Gonz´ alez Nieto, and Kenneth G. Paterson. One-Round Key Exchange in the Standard Model. International Journal of Applied Cryptography, 1(3):181–199, 2009. 11. Mike Burmester and Yvo Desmedt. A Secure and Efficient Conference Key Distribution System (Extended Abstract). In Advances in Cryptology–EUROCRYPT’94, pages 275–286, 1994. 12. Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-Ciphertext Security from Identity-Based Encryption. In Advances in Cryptology–EUROCRYPT 2004, volume 3027 of LNCS, pages 207–222. Springer, 2004. 13. Ling Cheung and Calvin Newport. Provably secure ciphertext policy ABE. In CCS ’07: Proceedings of the 14th ACM conference on Computer and communications security, pages 456–465, New York, NY, USA, 2007. ACM. 14. Ronald Cramer and Victor Shoup. Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack. SIAM J. Comput., 33(1):167–226, 2004. 15. Alexander W. Dent. A Designer’s Guide to KEMs. In Cryptography and Coding, 9th IMA International Conference, Cirencester, volume 2898 of LNCS, pages 133–151. Springer, 2003. 16. Alexander W. Dent. Hybrid Cryptography. Cryptology ePrint Archive, Report 2004/210, 2004. http://eprint. iacr.org/2004/210. 17. Eiichiro Fujisaki and Tatsuaki Okamoto. How to Enhance the Security of Public-Key Encryption at Minimum Cost. In Public Key Cryptography–PKC ’99, volume 1560 of LNCS, pages 53–68. Springer, 1999. 18. Eiichiro Fujisaki and Tatsuaki Okamoto. Secure Integration of Asymmetric and Symmetric Encryption Schemes. In Michael J. Wiener, editor, Advances in Cryptology–CRYPTO ’99, volume 1666 of LNCS, pages 537–554. Springer, 1999. 19. M. Choudary Gorantla, Colin Boyd, Juan Manuel Gonz´ alez Nieto, and Mark Manulis. Generic One Round Group Key Exchange in the Standard Model. In 12th International Conference on Information Security and Cryptology–ICISC 2009. Springer, 2009. 20. M. Choudary Gorantla, Colin Boyd, and Juan Manuel Gonz´ alez Nieto. On the connection between signcryption and one-pass key establishment. In Steven D. Galbraith, editor, IMA Int. Conf., volume 4887 of LNCS, pages 277–301. Springer, 2007. 21. Vipul Goyal, Abhishek Jain, Omkant Pandey, and Amit Sahai. Bounded Ciphertext Policy Attribute Based Encryption. In Automata, Languages and Programming, 35th International Colloquium–ICALP’08, volume 5126 of LNCS, pages 579–591. Springer, 2008. 22. Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM Conference on Computer and Communications Security–CCS’06, pages 89–98. ACM, 2006. 23. Stanislaw Jarecki and Xiaomin Liu. Private Mutual Authentication and Conditional Oblivious Transfer. In Shai Halevi, editor, Advances in Cryptology–CRYPTO’09, volume 5677 of LNCS, pages 90–107. Springer, 2009. 24. Antoine Joux. A One Round Protocol for Tripartite Diffie-Hellman. In Algorithmic Number Theory, 4th International Symposium, volume 1838 of LNCS, pages 385–394. Springer, 2000. 25. Jonathan Katz and Ji Sun Shin. Modeling insider attacks on group key-exchange protocols. In Proceedings of the 12th ACM Conference on Computer and Communications Security–CCS’05, pages 180–189. ACM, 2005. 26. Jonathan Katz and Moti Yung. Scalable Protocols for Authenticated Group Key Exchange. In Advances in Cryptology–CRYPTO’03, volume 2729 of LNCS, pages 110–125. Springer, 2003. 27. Allison Lewko, Tatsuaki Okamoto, Amit Sahai, Katsuyuki Takashima, and Brent Waters. Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption. Cryptology ePrint Archive, Report 2010/100, 2010. To appear at EUROCRYPT 2010. Available at http://eprint.iacr.org/ 2010/110. 28. Hemanta Maji, Manoj Prabhakaran, and Mike Rosulek. Attribute-based signatures: Achieving attribute-privacy and collusion-resistance. Cryptology ePrint Archive, Report 2008/328, 2008. http://eprint.iacr.org/2008/ 328. 29. Amit Sahai and Brent Waters. Fuzzy Identity-Based Encryption. In Ronald Cramer, editor, Advances in Cryptology–EUROCRYPT’05, volume 3494 of LNCS, pages 457–473. Springer, 2005. 30. J.T. Schwartz. Fast probabilistic algorithms for verification of polynomial identities. J. ACM, 27(4):701–717, 1980.

15

31. Rainer Steinwandt and Adriana Su´ arez Corona. Attribute-based group key establishment. Unpublished manuscript. 32. Brent Waters. Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization. Cryptology ePrint Archive, Report 2008/290, 2008. http://eprint.iacr.org/. 33. R. Zippel. Probabilistic algorithms for sparse polynomials. In E.W. Ng, editor, EUROSAM, volume 72 of LNCS, pages 216–226. Springers, 1979.

A A.1

Preliminaries Bilinear Pairing

Let G0 and G1 be two multiplicative groups of prime order p. Let g be an arbitrary of G0 . The pairing e : G0 × G0 → G1 is called an admissible bilinear map if it has the following properties: Bilinearity: ∀u, v ∈ G0 and a, b ∈ Zp , we have e(ua , v b ) = e(u, v)ab . Non-degeneracy: e(g, g) 6= 1. Computable: There exists an efficient algorithm to compute e(g, g). A.2

Strong Existential Unforgeability

A signature scheme Σ consists of three polynomial time algorithms: SigKeyGen, Sign and Verify. The probabilistic algorithm SigKeyGen generates a signing-verification key pair (sk , vk ). Sign is also a probabilistic algorithm that produces a signature σ on an input message m using the signing key sk . Verify is a deterministic algorithm that takes a tuple (m, σ, vk ) as input and outputs a boolean value. If σ is a valid signature on m under vk , Verify returns 1. Otherwise 0 is returned. A signature is said to be strongly existentially unforgeable against chosen message attacks (sUF-CMA) if there exists no probabilistic polynomial time adversary Acma that has non-negligible success probability in the security game below: Setup: The challenger runs the SigKeyGen algorithm to generate a key pair (sk , vk ) and passes the verification key vk on to Acma . Sign Queries: This query is asked by Acma with a message m as input. The challenger runs the Sign algorithm with signing key sk and returns the signature σ to Acma . Acma is allowed to issue multiple Sign queries in an adaptive manner. Forgery: The adversary outputs a tuple (m∗ , σ ∗ ). It wins the sUF-CMA security game if (1) σ ∗ is a valid signature on the message m∗ under vk and (2) (m∗ , σ ∗ ) has not been an output of any of the Sign queries issued earlier.

B

Security Proof of EP-AB-KEM

We prove the security of our EP-AB-KEM in the generic group and random oracle models. Intuitively, our security proof implies that if there are any weaknesses in our EP-AB-KEM, they will only have come from exploiting specific mathematical structures of the underlying groups or the cryptographic hash functions used in the instantiation. Our proof closely follows the proof of the CP-ABE scheme of Bethencourt et al. [4]. 16

The Generic Group Model [8] . We consider two random encodings ψ0 , ψ1 of the additive group Fp i.e., injective maps ψ0 , ψ1 : Fp → {0, 1}m , where m > 3 log(p). We write G0 = {ψ0 (x)|x ∈ Fp } and G1 = {ψ1 (x)|x ∈ Fp }. We are given oracles to compute the group operations in both the groups and also a non-degenerate bilinear map e : G0 × G0 → G1 . The identity elements in the groups can be accessed by the queries ψ0 (0) and ψ1 (0), while the generators by ψ0 (1) and ψ1 (1). We denote ψ0 (1), ψ0 (x) and ψ1 (y) by g, g x and e(g, g)y respectively. We are also given access to a random oracle to represent the hash function H : {0, 1}∗ → G0 . Theorem 2. Let ψ0 , ψ1 , G0 and G1 be defined as above. For any Acca , let q be the total number of group elements it receives from the oracles and during its interaction with the IND-CCA security game of the EP-AB-KEM. Let AdvAcma be the advantage of a polynomial time adversary Acma against the sUF-CMA notion of the signature scheme Σ. We have the advantage of Acca as max{AdvAcma , O(q 2 /p)}. Proof. Note that in the Challenge phase of the EP-AB-KEM security game, the adversary has to distinguish between real symmetric key and a value randomly chosen from symmetric key probability distribution i.e., with respect to our scheme the adversary has to distinguish between e(g, g)αs and e(g, g)θ for a randomly chosen θ ∈ Fp . At the setup time, the simulation chooses α, β1 , β2 at random from Fp . If β1 = β2 , β1 = 0 or β2 = 0 the setup is aborted just as it would be in the actual construction. The public parameters 1 1 h1 = g β1 , h2 = g β2 , f1 = g β1 , f2 = g β2 and e(g, g)α are sent to the adversary. The answers to the queries asked by Acca as part of the EP-AB-KEM security game are simulated as below: H-queries: The simulation maintains a list for the random oracle H with the input and response as entries. When a query is issued to the random oracle with input i, the simulation first checks if there is an entry for i in the list. If there exists an entry, it returns the previously returned response. Otherwise a new random value ti is chosen from Fp and the value g ti is returned. The values (ti , g ti ) are stored along with the input i. The queries with input vk are answered in the same way. Extract queries: When the Acca makes j-th key generation query on a set of attributes Sj , a new (j) random value r(j) ∈ Fp and for each i ∈ Sj new random value ri ∈ Fp are chosen. The simulator (j) then generates a private key corresponding to Sj as in the scheme. It computes D = g (α+r )/β1 , (j)

(j)

(j)

(j)

E = g r /β2 and for each i ∈ Sj , Di = g r · H(i)ri and Di0 = g ri . The private key is passed onto Acca . Decap queries: When Acca asks for a decapsulation query on an input encapsulation C, the simulation first parses the access tree T 0 from C. It then extracts the verification key vk and the subtree T from T 0 . The simulation first verifies the signature on the encapsulation using vk and if it is valid proceeds with decapsulation as follows: It computes Fvk and Fx for each leaf node and interior node in T as specified in the decapsulation algorithm. Note that this can be performed using appropriate queries to ψ0 , ψ1 and the random oracle H. Finally, FR0 is computed and the symmetric key K recovered. Note that as in the decapsulation algorithm if vk was replaced, the simulation would set K to ⊥. Finally, K is returned. In the Challenge phase, Acca outputs a challenge access structure T ∗ . Let Y ∗ denote the set of leaf nodes in T ∗ . The simulation does the following: It generates a one-time key pair (sk ∗ , vk ∗ ) 0 and constructs an access tree T ∗ from T ∗ and vk ∗ . It then chooses s ∈ Fp . It then computes the 17

shares λi = qi (0) for all i ∈ Y ∗ and λvk ∗ = qvk ∗ (0) as described in the scheme. The choice of λi ’s can be perfectly simulated by choosing l random values µ1 , · · · , µl uniformly at random from Fp for some value l and then letting λi fixed as a public linear combination of µ1 , · · · , µl and s. Later in proof, we will think of λi as such linear combination of these independent random variables. Finally, the simulation chooses a random θ ∈ Fp and constructs the challenge symmetric key and encapsulation as follows: K ∗ = e(g, g)θ and C1∗ = hs1 . For each relevant attribute i, λ ∗ 0 t ∗ λvk ∗ . Let C ∗ = Ci∗ = g λi , Ci0∗ = g ti λi . For the verification key vk ∗ , Cvk ∗ = h2 vk , Cvk ∗ = g vk 0 ). It then computes a signature σ ∗ on C ∗ using the one-time secret key (T ∗0 , C ∗ , Ci∗ , Ci0∗ , Cvk ∗ , Cvk ∗ ∗ sk . The encapsulation values (C ∗ , vk ∗ , σ ∗ ) are sent to Acca . Following the generic proof of Boneh et al. [9], we divide the proof into the following two cases: Case 1: Let Forge be the event that Acca submits a decapsulation query with input (C, vk , σ) that is different from the challenge encapsulation given to it but with vk = vk ∗ . We now show that Pr[Forge] is negligible. With the simulation of Acca ’s queries as described above we now construct a forger Acma against the signature scheme. We assume that Acma is given the challenge verification key vk ∗ at the beginning of the experiment. As described above, the public parameters are generated and answers to Acca ’s queries are simulated. If Acca outputs a query (C, vk ∗ , σ) even before the Challenge phase, then F outputs (C, σ) as its forgery and stops. Let (C ∗ , vk ∗ , σ ∗ ) be the challenge encapsulation given to Acca . If Acca submits a valid encapsulation (C, vk ∗ , σ) in a decapsulation query, as per the EP-AB-KEM security game we must have (C, σ) 6= (C ∗ , σ ∗ ). In this case Acma submits (C, σ) as its forgery. Hence, the success probability of Acma is at least Pr[Forge]. Since, the one-time signature scheme is assumed to be strongly unforgeable, Pr[Forge] ≤ AdvAcma must be negligible. Note that in this case (i.e., when Forge occurs), Acca ’s view would have been identical even if we had set θ = αs. Case 2: In this case, we assume that the event Forge does not occur. We now show that decapsulation queries with an input verification key vk 6= vk ∗ does not give Acca any advantage. Note that since we have assumed that Forge does not occur, a decapsulation query with input vk = vk ∗ must contain an invalid signature. For such a query Acca is returned ⊥. The rest of the proof below deals with Case 2. When Acca makes a query to the group oracles, we may condition on the event that (1) Acca provides as input only the values it received from the simulation or intermediate values it obtained as response from the oracles and (2) there are p distinct values in the ranges of both ψ0 and ψ1 . This event happen with the overwhelming probability of 1 − O(q/p2 ), where q is the upper bound on the number of queries that can be made during the simulation. We may even keep track of the algebraic expressions being called for from the oracles as long as “accidental collisions” do not occur. Specifically, we can think of an oracle query as being a rational function ν = η/ξ in (j) the variables θ, α, β1 , β2 , s, ti ’s, r(j) ’s, ri ’s and µk ’s. An accidental collision would be when for queries corresponding to any two distinct formal rational functions η/ξ 6= η 0 /ξ 0 , we have that the values of η/ξ and η 0 /ξ 0 coincide due to random choices of these independent variables’ values. We now condition that no such accidental collisions occur in either G0 or G1 . For any pair of distinct queries η/ξ and η 0 /ξ 0 within a group, a collision occurs only if the non-zero polynomial η/ξ−η 0 /ξ 0 evaluates to zero. The total degree of this polynomial in our case is at most 5 (a constant). By Schwart-Zippel lemma [30, 33], the probability of this event is O(1/p). By a union bound, the 18

probability that any such collision happens in our simulation is at most O(q 2 /p). Hence, we can condition on no such collision happening and still maintain 1 − O(q 2 /p) of the probability mass. We now consider what the adversary’s view would have been, if we had set θ = αs. In this part of Case 2 of the proof, subject to the above conditioning, we show that the adversary’s view would have been identically distributed. Since we are in the generic group model, where each group element’s representation is uniformly and independently chosen, the only way that adversary’s view can differ in the case θ = αs is if there are two queries ν and ν 0 into G1 such that ν 6= ν 0 but ν|θ=αs = ν 0 |θ=αs . Since θ only occurs as e(g, g)θ in G1 , the only dependence ν or ν 0 can have on θ is by having some additive terms of the form γθ for some constant γ. Therefore we must have ν − ν 0 = γαs − γθ for some constant γ 6= 0. We can then artificially add the query ν − ν 0 + γθ = γαs to the adversary’s queries. We will now show that based on the information given to the adversary it can never construct a query for e(g, g)γαs .

ti (j) ri (j) (j) ti (r + ti0 ri0 ) (j) αs + r s (j) λi0 (r(j) + ti ri ) (j)

λi ti ti0 (j) t i ri 0 (j) r (j) λi0 ri (j)

0

(j)

λi ti λi ti0 α + r(j) λi λi0 ti ti0 λi λi0 (j 0 )

(j)

(j 0 )

r(j) + ti ri ti ti0 λi0 s ti λi λi0 (j) ti λi (r(j) + ti0 ri0 ) (j) (j 0 )

ti λi ri0 (r(j) + ti ri )(r(j ) + ti0 ri0 ) (r(j) + ti ri )ri0 ri ri 0 stvk ; λvk tvk ti tvk tvk 0 tvk λi (j) (j) tvk ti λi tvk tvk 0 λvk 0 tvk (r(j) + ti ri ) tvk ri tvk λvk tvk tvk 0 λvk λvk 0 tvk λvk ti tvk λvk λi (j) (j) tvk ti λvk λi tvk λvk (r(j) + ti ri ) tvk λvk ri r(j) λvk Table 1. Possible query types into G1 from the adversary

Table 1 enumerates all the possible query types into G1 by means of the bilinear map and the group elements given to the adversary except for those that contain β1 or β2 in every monomial as they will not be relevant for constructing a query involving the term αs. In the table, the variables i and i0 are possible attribute strings, j and j 0 are indices of secret key queries made by the adversary and vk and vk 0 are the verification keys generated by KeyGen algorithm of the signature scheme. Note that all the possible queries are given in terms of λi ’s, not µk ’s. It can be checked that the query terms in the table can be formed by the adversary from the information available to it. In addition to the polynomials in the table, the adversary also has access to 1 and α. The adversary can query for arbitrary linear combination of these terms. We will now show that no such combination can produce a polynomial of the form γαs for some constant γ 6= 0. In Table 1 the only term that contains αs is αs + r(j) s, which can be formed by pairing P sβ1 with α+r(j) /β1 . By such queries, the adversary could create a polynomial of the form γαs+ j∈T γj sr(j) for some set T and constants γ, γj 6= 0. To obtain a query polynomial of the form P γαs the adversary must add other linear combinations in order to cancel the terms of the form j∈T γj sr(j) . From the table, the only other terms that the adversary has access to that could involve terms of the form (j) sr(j) are obtained by pairing r(j) + ti ri with some λi0 and also by pairing β2 λvk with r(j) /β2 . This is so since, λi0 and λvk terms are public linear combinations of µ1 , · · · , µl and s. The adversary can create a query polynomial of the form: 19

 γαs +

X j∈T

γj sr(j) +

 (j)

X

λi0 r(j) + λi0 ti ri + λvk r(j)  + other terms.

(i,i0 ,vk )∈Tj 0

We now complete the proof with the following case analysis that shows that any of the adversary’s query polynomials cannot be of the form γαs. Case 2a: In this case, let us assume that there exists some j ∈ T such that the set of secret shares Lj = {λi0 , λv k : ∃i : (i, i0 , vk ) ∈ Tj0 } do not allow for reconstruction of s. If this is the case, then the term sr(j) will not be cancelled and hence the adversary’s query cannot be of the form γαs. Case 2b: Now we assume that for all j ∈ T , the set of secret shares Lj = {λi0 , λv k : ∃i : (i, i0 , vk ) ∈ Tj0 } do allow for the reconstruction of the secret s. Fix any j ∈ T . Consider the set of attributes Sj that belongs to the j-th Extract query from the adversary. By the restriction that no requested key should pass the challenge access structure and by the properties of the secret sharing scheme, the set of shares L0j = {λi : i ∈ Sj } cannot reconstruct s. Thus, there must exist at least one share λi0 in Lj such that λi0 is linearly dependent of L0j when written in (j)

terms of s and µ1 , · · · , µl . Thus for some i ∈ Sj , there must be a term of the form λi0 ti ri in the adversary’s queries. However, it is evident from Table 1 that the adversary has no access to a term of this form. Hence, none of the queries can be of the form γαs.

C

Security Proof of the Generic AB-AKE Protocol

Proof. We prove the theorem in a sequence of games. Let Si be the event that Aake wins the AKE-security game in Game i. Game 0. This is the original AKE-security game as per Definition 4. We have AdvAake = |2 · Pr[S0 ] − 1|.

(3)

Game 1. This game is the same as the previous one except that if two different sessions at user Ui output identical message Ci , then the game aborts. Let Repeat be such an event. As there are n ˜ users in the protocol, we have | Pr[S0 ] − Pr[S1 ]| ≤ n ˜ · Pr[Repeat].

(4)

As the adversary is allowed to activate at most qs number of sessions, we have Pr[Repeat] ≤

qs2 . |C|

(5) R

Game 2. This is the same as the previous game except that a value t ← [1, qs ] is chosen. If the Test query does not occur in the t-th session the game aborts and outputs a random value. Let E2 be the event that the guess is correct.   1 1 1 Pr[S2 ] = Pr[S2 |E2 ] Pr[E2 ] + Pr[S2 |¬E2 ] Pr[¬E2 ] = Pr[S1 ] + 1− . (6) qs 2 qs 20

Game 3. This is identical to the previous game except that the output of each fKi for 1 ≤ i ≤ n ˜ k is replaced by a random value chosen uniformly from {0, 1} . We have, | Pr[S2 ] − Pr[S3 ]| ≤ n ˜ · AdvAprf .

(7)

Game 4. This game is identical to the previous game except that the queries asked of Aake are now answered by Acca , an adversary against the IND-CCA security of the underlying EP-AB-KEM as follows: Acca forwards the public parameters that it received from its challenger to Aake . Note that if we allow Aake to choose the access structure in the Test session, Aake chooses A∗ and sends it to Acca at the beginning of the Test session. Otherwise, Acca itself may choose A∗ . Once Aake chooses the Test session, Acca gives the challenge access structure A∗ to its challenger. The EP-AB-KEM challenger returns (Kb , C ∗ ) to Acca as described in Definition 2. The goal of Acca is to output whether Kb is encapsulated within C ∗ or not. Acca finally chooses a user Ui∗ whose attributes Si∗ satisfy the challenge access structure A∗ . With these choices, Acca now starts simulating answers to the queries of Aake as below. Note that we explain only the simulation done in the test session. The queries issued in all the other sessions can be trivially answered by Acca , since it is allowed to extract private keys corresponding to attributes that satisfy all the access structures except A∗ . Send(πit , m): If m contains only A∗ , as per the protocol it has to initiate the test session at Ui . If Ui = Ui∗ , Acca returns the challenge encapsulation C ∗ as the outgoing message from the instance πit . Otherwise, Acca runs the Encapsulation algorithm on behalf of Ui and obtains the pair (Ki , Ci ). It keeps Ki with itself and returns Ci as the outgoing message. On the other hand, if the message contains an encapsulation Ci , Acca proceeds as follows: 1. If Ui = Ui∗ , it issues a Decap query to its challenger with Ci and the attributes of Ui∗ as input. If the challenger returns a key Ki , Acca stores Ki and accepts the session. Otherwise, the session is rejected. Note that if Ui = Ui∗ , then Ci cannot be equal to Ci∗ conditioning on the event Repeat in Game 1. 2. If Ui 6= Ui∗ , Acca first checks if Ci = Ci∗ . If it matches Acca accepts the session. Otherwise, as described above it issues Decap query to its challenger with Ci and the attributes of Ui∗ as input. Note that the attributes of Ui∗ satisfy the access structure A∗ embedded in Ci . If the challenger returns a key Ki , Acca stores Ki and accepts the session. Otherwise, Acca rejects the session. RevealKey(πij ): Note that a RevealKey query on the test session is not allowed. In all other sessions Acca can answer this query by simply asking Decap query on all the encapsulations exchanged in that session. Since Acca is also allowed to extract private keys corresponding to attributes that do not satisfy A∗ , it can trivially answer the RevealKey queries of all the sessions other than the test session. Corrupt(Si ): If Si do not satisfy A∗ , then Acca can trivially answer this query using the Extract query available to it as part of the IND-CCA security game of the EP-AB-KEM. Test(πit ): Acca now embeds the challenge key Kb into the response to Aake . It computes the challenge key κ∗ = fK1 (sid) ⊕ · · · ⊕ fKb (sid) ⊕ · · · ⊕ fKn (sid). Note that, as described in the simulation of Send queries above, all the symmetric other than Kb are either generated by Acca or obtained from its challenger via Decap queries. The key κ∗ is returned to Aake . Since the simulation by Acca for Aake is perfect without any aborts, Game 3 and Game 4 are indistinguishable. We have Pr[S4 ] = Pr[S3 ]. 21

Let b0 be the output of Aake . Acca simply passes this bit onto its challenger. This game is essentially Aake playing IND-CCA security game against the EP-AB-KEM’s challenger. Acca succeeds whenever Aake does so. Hence, the advantage of Acca is at least the same as that of Aake . We have |2 · Pr[S4 ] − 1| ≤ AdvAcca .

(8)

From Equations 3 to 8,we have the claimed advantage for Aake . Remark 3. From Game 4 of the above proof, it is evident that Acca obtains the challenge access structure A∗ only at the initiation of the Test session. However, Acca has to answer the queries asked by Aake on sessions established prior to the Test session for which Acca has to interact with its challenger. As in the selective security model for EP-AB-KEM, if Acca commits to an access structure at the start of its game, it cannot simulate answers to all the queries asked by Aake . Hence, we need an IND-CCA secure EP-AB-KEM secure in the fully adaptive model for our generic construction of AB-AKE protocols.

D

Ciphertext Policy Attribute-based Hybrid Encryption

We now extend the paradigm of hybrid encryption to CP-ABE. We show that an IND-CCA secure EP-AB-KEM when combined with any IND-CCA secure DEM will result in an IND-CCA secure CP-ABE scheme. The hybrid CP-ABE scheme will have the usual efficiency advantages that a hybrid encryption scheme has over a direct public key encryption scheme. While our proof may seem straightforward, note that it has not previously been formally established. Combining a KEM and a DEM to achieve a secure hybrid encryption scheme is not always trivial, for example, as in the case of certificateless KEMs [3]. Moreover, Gorantla et al. [20] described a notion of security for signcryption KEMs which can be useful in establishing a relationship with key exchange protocols, but cannot be used in combination with any DEM for the purpose of hybrid signcryption. Hence, it is necessary to validate the combination of any KEM and DEM. We show our result only for fully adaptive CCA-secure hybrid CP-ABE schemes. Our proof can be easily extended to other flavours of security i.e., notions that consider CPA-secure and/or selective-policy CP-ABE schemes. D.1

CCA Security for CP-ABE Schemes

A CP-ABE scheme consists of four polynomial time algorithms: Setup, Encrypt, KeyGen, Decrypt. An optional Delegate algorithm may also exist. The access structure A and the set of parties are as defined in Section 2. Setup(k, U) This algorithm takes the security parameter k and the attribute universe description U as inputs. The public parameters PK and the master key MK are the outputs. Encrypt(PK , M, A) This algorithm takes as input the public parameters PK , a message M and an access structure A over the attribute universe U. This algorithm encrypts M and produces a ciphertext CT such that only a user that possesses a set of attributes satisfying A will be able to decrypt the message. We assume that the ciphertext implicitly contains A. 22

KeyGen(MK , PK , S) This algorithm takes as input the master key MK , the public parameters PK and a set of attributes S. The output is a private key SK corresponding to the attribute set S. Decrypt(PK , CT, SK ) takes as input the public parameters PK , a ciphertext CT which contains an access structure A and a private key SK corresponding to a set of attributes S. The algorithm returns either a message M or ⊥. For a CP-ABE scheme to be considered valid, it is required that for any message M from the message space, for any key SK corresponding to an attribute set S, if S satisfies A and if CT ← Encrypt(PK , M, A), then Decrypt(PK , CT, SK ) = M . Bethencourt et al. [4] defined the notion of fully adaptive CPA security for CP-ABE schemes. An analogous model with selective security has been defined by Goyal et al. [21]. As remarked by Waters [32], the CPA security model of Bethencourt et al. could be easily extended to model CCA security. We now describe IND-CCA security notion for CP-ABE schemes. Definition 6. A CP-ABE is IND-CCA secure if the advantage of any PPT adversary Acca in the following game is negligible in the security parameter k. Setup: The challenger runs the Setup algorithm and returns the public parameters PK to Acca . Phase 1: Acca issues Extract and Decap queries as follows: Extract: This query can be issued multiple times with sets of attributes S1 , · · · , Sq1 as input. The challenger returns a private key corresponding to each input attribute set. We do not require the input attribute sets to be distinct. Decrypt: This query is issued with a ciphertext CT and an attribute set S as inputs. Note that CT implicitly contains an access structure A defined over the attribute universe U. The challenger executes the Decrypt algorithm on CT using a private key corresponding to S and returns the output of Decrypt to Acca . Challenge: At the end of Phase 1, Acca gives an access structure A∗ defined over U and two plaintexts m0 and m1 of same length to the challenger. The challenger first chooses a bit b. It then runs the Encrypt algorithm with A∗ and mb as input and generates a ciphertext CT∗ . The challenge ciphertext CT∗ is given to Acca . A trivial restriction on the adversary’s choice of A∗ is that none of the attributes sets S1 , · · · , Sq1 passed as input to Extract queries in Phase 1 should satisfy A∗ . Phase 2: Acca is allowed to execute in the same way as in Phase 1 with the following restrictions: (1) none of the attribute sets Sq1 +1 , · · · , Sq passed as input to Extract queries in Phase 2 satisfy A∗ and (2) a Decrypt query with CT∗ as input in combination with an attribute set S ∗ that satisfies A∗ is not allowed. Guess: The goal of Acca is to guess which of the messages m0 or m1 is encrypted is encrypted within CT∗ . Acca finally outputs a guess bit b0 . It wins the game if b0 = b. The advantage of Acca is given as AdvAcca = |2 · Pr[b0 = b] − 1|. D.2

CCA Security for DEM

The security requirements considered for a DEM are the same as those for a symmetric encryption scheme [14, 16]. We first describe the syntax for DEMs and then the notion of IND-CCA security considered for them. A DEM consists of a pair of deterministic algorithms: 23

ENC takes as input a message m of arbitrary length and a symmetric key K of some predetermined length. The output is a ciphertext C which is computed on m using K. DEC takes as input a ciphertext C and a symmetric key K of some pre-determined length and outputs either a message m or an error symbol ⊥. A DEM must satisfy the following soundness property: for all K ∈ {0, 1}k , and for any message m ∈ {0, 1}∗ , we have DEC(K, ENC(K, m)) = m. The IND-CCA security model for DEMs has been defined as follows: 1. The challenger generates a key K. The description of the DEM is given to the adversary, while K is kept secret. 2. The adversary is allowed to run until it submits two messages m0 and m1 of the same length to the challenger. The challenger selects a random bit θ ∈ {0, 1} and encrypts mθ using K. The resulting ciphertext C ∗ is returned to the adversary. 3. The adversary is given access to a decryption oracle only after it receives the challenge ciphertext. It may query issues decryption queries on any input C 6= C ∗ . The oracle returns m ← DEC(K, C) to the adversary. 4. Finally, the adversary outputs a bit θ0 and wins the game if θ0 = θ. The advantage of the adversary is defined as |2 · Pr[θ0 = θ] − 1|. Cramer and Shoup [14] presented an IND-CCA construction of a DEM using symmetric key techniques. D.3

Hybrid CP-ABE

Let (Setup,Encapsulation, KeyGen, Decapsulation) and (ENC,DEC) be the given EP-AB-KEM and DEM respectively. We assume that the length of keys generated by the EP-AB-KEM is the same as the length of the keys used by the DEM. Following Cramer and Shoup [14], a hybrid CP-ABE (Setup,Encrypt, KeyGen, Decrypt) can be constructed as follows: Setup and KeyGen: The Setup and KeyGen algorithms of the hybrid CP-ABE will remain the same as the corresponding algorithms of the underlying EP-AB-KEM scheme. Encrypt(PK , M, A): This algorithm first runs the encapsulation algorithm of the EP-AB-KEM and obtains a symmetric key-encapsulation pair i.e., (K, C1 ) ← Encapsulation(PK , A). It then runs the encryption algorithm of the DEM on the input message using the key K i.e., C2 ← ENC(K, M ). It returns CT = (C1 , C2 ) as the ciphertext. Decrypt(PK , CT, SK ): It first parses the ciphertext CT as (C1 , C2 ) and returns ⊥ if there is any failure in parsing. Otherwise, it first executes the decapsulation algorithm of the EP-AB-KEM to compute a symmetric key i.e., K ← Decapsulation(SK , PK , C1 ). If Decapsulation rejects, it outputs ⊥. Finally, it executes the decryption algorithm of the DEM with C2 as input using K and extracts the message i.e., M ← DEC(K, C2 ). We now restate the theorem of Cramer and Shoup [14] in the context of hybrid CP-ABE as follows. Theorem 3. If EP-AB-KEM and DEM are IND-CCA secure then so is the hybrid CP-ABE scheme. The advantage of a PPT adversary Acpabe against the IND-CCA security of the hybrid CP-ABE scheme is given as 24

AdvAcpabe ≤ 2 · (AdvAkem + AdvAdem ) where AdvAkem is the advantage of a PPT adversary Akem against the IND-CCA security of the underlying EP-AB-KEM and AdvAdem is the advantage of a PPT adversary Adem against the IND-CCA security of the underlying DEM. Proof. The proof is given in a sequence of games. Let Si be the event that the adversary against the hybrid CP-ABE scheme wins in Game i. Game 0. This is the original IND-CCA game defined for the CP-ABE scheme. We have AdvAcpabe = |2 · Pr[S0 ] − 1|. (9) Game 1. This game is identical to the previous game with the following changes: During the Challenge phase, when Acpabe outputs a challenge access structure A∗ and a pair of messages m0 and m1 , the challenge ciphertext (C1∗ , C2∗ ) is computed as follows and is returned to Acpabe : R – b ← {0, 1}. – (K, C1∗ ) ← Encapsulation(PK , A∗ ). R – K ∗ ← {0, 1}k . – C2∗ ← ENC(K ∗ , Mb ). For any decryption query with input (S, (C1∗ , C2 )), where C2 6= C2∗ and for S satisfying the challenge access structure A∗ , then return DEC(K ∗ , C2 ) as the response. We now describe an adversary Akem against the IND-CCA security of the EP-AB-KEM which can simulate this game for Acpabe . Akem forwards the public parameters to Acpabe . Note that Akem can answer any key extraction query of Acpabe , by forwarding it as its own Extract query to its challenger. Similarly, the Decrypt queries of Acpabe are answered using its access to the Decap oracle. Specifically, on any Decrypt query with input (S, (C1 , C2 )), Akem first queries its Decap oracle with input (S, C1 ) and obtains a symmetric key K. If K = ⊥, it returns ⊥. Otherwise, it then executes the DEC algorithm of the DEM with C2 as input using the K and extracts the message i.e., M ← DEC(K, C2 ). During the Challenge phase, when Acpabe outputs (A∗ , m0 , m1 ), Akem forwards A∗ to its chalR

lenger. Let (K ∗ , C1∗ ) be the challenge given to it. Akem now selects a random bit θ ← {0, 1} and computes C2∗ ← ENC(K ∗ , Mθ ). The challenge ciphertext (C1∗ , C2∗ ) is returned to Acpabe . All the queries in Phase 2 are answered as before, except that when a decryption query of the form (S, (C1∗ , C2 )), where C2 6= C2∗ and for S satisfying the challenge access structure A∗ is given it returns DEC(K ∗ , C2 ) as the response. Finally, Acpabe outputs a bit θ0 . If θ0 = θ, it outputs 1, otherwise outputs 0. Thus Akem wins whenever Acpabe does. We have | Pr[S0 ] − Pr[S1 ]| ≤ AdvAkem . (10) cpabe Note that this game is essentially A playing the IND-CCA game against the DEM. This is so particularly since the ciphertext component C2∗ is generated using a random symmetric key K ∗ . We have |2 · Pr[S1 ] − 1| = AdvAdem . By combining the Equations 9 to 11, we have the claimed advantage for Acpabe .

25

(11)